RE: Cookies - Raising Awareness

Part of the problem here is that we're asking a question about the
technology (which generally doesn't mean anything to the end user) and
not about the data that it collects (which might resonate a little
more). Here's the actual legal requirement:

 

Member States shall ensure that the storing of information, or the
gaining of access to information already stored, in the terminal
equipment of a subscriber or user is only allowed on condition that the
subscriber or user concerned has given his or her consent, having been
provided with clear and comprehensive information, in accordance with
Directive 95/46/EC, inter alia, about the purposes of the processing.
[emphasis mine]
(http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:001
1:0036:En:PDF)

 

This isn't about the placement of a cookie, it's about the creation of a
data trail, connected to a unique identifier, that allows a service
provider to remember certain qualities about a user. If you're using
Flash cookies, local storage or fingerprinting to accomplish the same
goals, then arguably the same requirement applies.

 

But here's the exception: 

 

This shall not prevent any technical storage or access for the sole
purpose of carrying out the transmission of a communication over an
electronic communications network, or as strictly necessary in order for
the provider of an information society service explicitly requested by
the subscriber or user to provide the service.'

 

Which means that logins, state management etc. wouldn't be covered. 

 

Perhaps it's time to go back to basics, stop focusing on the technology,
and find a way to talk about the data and its purpose?

 

Best,

K

 

-----Original Message-----
From: public-privacy-request@w3.org
[mailto:public-privacy-request@w3.org] On Behalf Of David Singer
Sent: 26 July 2010 08:04
To: Jochen Eisinger
Cc: public-privacy@w3.org
Subject: Re: Cookies - Raising Awareness

 

I guess my worry is that I can't think of anyone who knows how to answer

 

Do you want to accept cookie "fzwq1FwnrN2vxoi...HcLUz6vO0f2mRQ" from
google.com?

 

and that the browser can't tell me either what is encoded directly in
the cookie, or what it 'points at' in a database at google.  Without
knowing these two, I have no idea what the consequences of acceptance
are, and I certainly don't know what services will fail if I say "no".

 

 

On Jul 24, 2010, at 10:21 , Jochen Eisinger wrote:

 

> On Sat, Jul 24, 2010 at 10:13 AM, David Singer <singer@apple.com>
wrote:

>> !

>> 

>> If I am asked 'do you want to accept this cookie?' I would
immediately ask back 'what is it tracking?'.  I have no idea what the
right answer is....

>> 

>> Turning off cookies is somewhat going completely
incognito/untrackable;  kind of like wearing a stocking over your head,
generic black pants and jacket, dark glasses, and doing all your
transactions  using 'ransom notes' and unmarked, used, $10 bills.  it's
a bit extreme.

> 

> I'd argue that it mainly breaks logins for you.

> 

> Tracking can be done without HTTP cookies, e.g. using flash cookies,

> local storage, finger printing etc..

> 

> We're however currently experimenting with replacing the cookie prompt

> with a more usable blocking mode. You can test it on Chrome's current

> dev channel. When you block cookies, we'll collect both blocked and

> accepted cookies (and other site data such as local storage). Click on

> the blocked cookie symbol and select "show cookies etc..". This will

> pop up a dialog that displays all cookies for the current web page,

> and lets you create exceptions for accepting/blocking cookies from

> certain domains. It's not yet perfect, esp. the creation of exception

> doesn't give you any feedback, but what do you think about the general

> approach?

> 

> -jochen

> 

> 

 

David Singer

Multimedia and Software Standards, Apple Inc.